Explorer Errors

[Damnatory]

WindowsME doesn't have the ability to end specific process'... And the program suggested before to do that ( Process Explorer), won't work on this machine for some reason.

Isn't CMD32.exe the executable for Windows' MS-Dos explorer?

Whats the cwShredder do?

[dopey]

the cmd32.exe is definitely a baddie.

Code:

http://www.liutilities.com/products/wintaskspro/processlibrary/cmd32/

these lines here tell me you have the coolwebsearch trojan:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

it basically redirects your searches to their search engines, adding bogus results as well.


edit: you should try again using the process explorer and highlight the file, then control-k to kill it.

[Damnatory]

Oh I believe you, but I'm just trying to find a way around the fact that I have to close out the mwrewind.exe, without having a process tab.

[dopey]

hopefully housecall will be able to take care of it for you.

but the process explorer should work. is there some error that it gives you? maybe i can get in touch with the developer to find out what's going on.

i'm not too familiar with windows me.

hopefully Jg427 will have some new ideas in the meantime

[Damnatory]

Ok, so I did all that, but the folder MWW32 had some tie with the modem, and I was unable to connect when I deleted it, so I had to restore that folder. Here's an update of the HJT log.

Code:

Logfile of HijackThis v1.97.7
Scan saved at 6:44:10 AM, on 7/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mallmonkeys.com/forum/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\S6U12BX\WATCH.exe
O4 - Startup: Event Reminder.lnk = c:\PMW\PMREMIND.EXE
O4 - User Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\S6U12BX\WATCH.exe
O4 - User Startup: Event Reminder.lnk = c:\PMW\PMREMIND.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38168.5109490741
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Jg427]

I don't see any more problems listed. Maybe dopey will see something I missed. That's a big difference from your first hjt log.

I would still look for the following files and delete any you find, hopefully most are already gone.

C:\WINDOWS\SYSTEM\CMD32.EXE
C:\WINDOWS\DHBRWSR.EXE
C:\WINDOWS\DHSVR.EXE
C:\WINDOWS\SYSTEM\MSNKMI.DLL
C:\WINDOWS\SYSTEM\MSKCEO.DLL
C:\WINDOWS\SYSTEM\MSEDAH.DLL
C:\WINDOWS\SYSTEM\MSKHHE.DLL
C:\WINDOWS\SYSTEM\MSDAIM.DLL
C:\WINDOWS\SYSTEM\MSJFBL.DLL
C:\WINDOWS\SYSTEM\MSIBKD.DLL
C:\WINDOWS\DEALHLPR.DLL

C:&#092;PROGRAM FILES&#092;ZSEARCH&#092;zSearch.dll <folder

I would also update IE to IE v6_SP1
I don&#39;t see any antivirus or firewall running.

The free version of Zone alarm works well.
AVG is the free antivirus that I use.

Disable system restore to get rid of infected restore points and then enable it.

[Damnatory]

Thanks Alot for all the help&#33; The OS is staying active and it&#39;s running faster than it used to.